Pages

Tuesday, November 12, 2013

How to use SUID for shell scripts in Linux?

Question : How to write a shell script which will read the required passwords/connect strings from a config file? Other users should be able to execute the scripts, however they should not be able to read the config file.

Say, I have a config file, myconfig.txt, which contains credentials for an oracle connection:

The issue here is: Any user, who has permissions to run this script can get to know the password present in the myconfig.txt either by reading the file directly or by running the shell script in debug mode.

How to prevent the user from reading the password?
By removing the read permission from the group and others on the myconfig.txt file will not help. Because, in that case, the other users will not be able to run the script as well.

Setting the SUID on the Shell script:
After removing the read permission and then applying the suid bit on the shell script will work on say Solaris, will not work in Linux flavors. Because SUID can be applied only on binary executables in Linux.

Solution:
In order to create a binary executable, we need to write our code in either say C, C++, etc..which gives binary executables.
Let us write a C program which reads the myconfig.txt file and sets environment variables for all the entries present in the file. And then invoking the shell script from the C program should suffice: